Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.simplehost.dev/llms.txt

Use this file to discover all available pages before exploring further.

Overview

The site proxy lets a published site call approved external APIs without exposing stored secrets in client-side files.
On the current SimpleHost deployment, browser-facing secret proxying is disabled while stricter request controls are being designed. The endpoint remains documented here for future compatibility, but production currently refuses public secret-backed proxy requests.
This endpoint is public because it is used by the browser, but it is tightly restricted:
  • only exact approved hosts are allowed
  • only HTTPS targets are allowed
  • stored secrets are substituted server-side
  • raw stored secret values are never returned by the management API

Endpoint

POST /api/v1/proxy/:slug

Path Parameters

slug
string
required
The site slug making the request.

Request Body

url
string
required
The full HTTPS URL to call. The hostname must already be approved for this site.
method
string
HTTP method to send. Defaults to GET.
headers
object
Optional headers. Use {{VARIABLE_NAME}} placeholders where a stored secret should be inserted.
body
string
Optional request body. This may also contain {{VARIABLE_NAME}} placeholders.

Example

curl -s -X POST https://simplehost.dev/api/v1/proxy/bright-canvas-a7k2 \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://api.openai.com/v1/responses",
    "method": "POST",
    "headers": {
      "Authorization": "Bearer {{OPENAI_API_KEY}}",
      "Content-Type": "application/json"
    },
    "body": "{\"model\":\"gpt-4.1-mini\",\"input\":\"hello\"}"
  }'

Response

The proxy returns the upstream response status and body, subject to SimpleHost safety checks and response header filtering. When the feature is disabled on a deployment, the endpoint returns a 403 FORBIDDEN response instead of forwarding the request.

Rules

  • The destination hostname must be on the site’s allowlist
  • Only HTTPS URLs are accepted
  • Secret values must be referenced using {{VARIABLE_NAME}}
  • Do not hardcode private keys into browser files

Intended Flow

When this feature is enabled on a deployment, the intended flow is:
  1. A publish is blocked because exposed secrets were detected in browser files
  2. The agent explains the issue to the user in plain language
  3. The user gives permission to secure it
  4. The agent stores the secret as a site variable
  5. The agent approves the exact outbound host
  6. The agent updates only the published copy to use this proxy
  7. The agent republishes safely
For a full explanation of the blocked-publish behavior, see Finalize and Errors.